GDPR and Data Protection Bill – 9 months to go

GDPR: What is going to happen in the UK?

With just nine months to go until the General Data Protection Regulation (GDPR) implementation date, are we getting closer to finding out how this will be implemented in the UK?

On 13 September 2017, the Data Protection Bill was introduced to the House of Lords. It sets out the Government’s proposals in regards to new data protection legislation and will need to be approved by the House of Lords. We are expecting the general debate to be on 10 October 2017.

The aims of the Bill

The Bill aims to provide people with more control over the use of their data, ensure that the UK’s laws fit the digital age we are in and also ensure that the UK is clear on its data protection obligations post Brexit. In the majority, the Bill will transfer the EU’s GDPR into UK law but there will be some UK specific rules. Whilst the UK remains a member of the EU the UK law will supplement the GDPR which will still automatically become part of our laws in May 2018.

The main elements of the Bill

Data processing

• Requesting personal data that an organisation holds on you will be easier and free of charge. It will also be easier for people to transfer personal data between service providers.
• The Bill will set the age where parental consent is not needed to process data online at 13 years (the GDPR gives the age of 16)
• It provides new rights for people to request the deletion of personal data and a new right to be forgotten when you no longer want your data processed and there are no legitimate grounds for it being retained.
• It will no longer be possible for businesses to rely on opt-out or pre-ticked boxes to give consent to collect personal data.
• The definition of ‘personal data’ will be expanded to take into account the progress in technology. IP addresses, internet cookies and DNA will all be included.
• The Bill proposes to continue with exemptions which have worked in the Data Protection Act 1998, particularly in areas such as financial services, journalism and research.

Law enforcement and national security

• Issues of national security and law enforcement have a bespoke framework to ensure the UK can tackle the changing global threats the UK faces and at the same time protect the rights of victims. At the forefront is the wish to ensure criminal justice agencies can continue to share data with other EU States. The processing of data by the intelligence services will be covered solely by UK law.

Enforcement

• It has been confirmed that the Information Commissioner’s Office (ICO) will be able to issue fines of up to 17 million or 4 percent of global turnover in cases of breach.
• New criminal offences will be created for certain intentional or reckless breaches where for example, the controller destroys personal data to frustrate subject access requests.
• It will be a requirement for controllers to notify the commissioner within 72 hours of a data breach taking place if the breach risks the rights and freedoms of an individual. Where there is a high risk, the business must notify the individual.

Brachers are able to advise on how to prepare for the changes to come in the area of data protection. For further information please speak to Sarah Wimsett or another member of the Employment Team.

This content is correct at time of publication